This isn't just an issue for British companies
Data protection and employee privacy should be a major concern for HR leaders. The emergence of new rules around General Data Protection Regulation (GDPR) means that organizations across the globe will have to ensure they’re compliant – or risk hefty fines.
In fact, the cost of non-compliance can be up to four per cent of your global revenue, according to ClearCompany.
Despite common misconceptions, GDPR is a not just an EU issue. The regulations apply to any business which stores the data of an EU citizen – meaning it applies to companies based outside of the EU just as much as it does to European firms. Despite this, many global businesses seem to be ignoring it and its potential impact on their HR analytics.
To shed some light on the problem, HRD spoke to Arabella Underwood, human capital management director and global GDPR expert at Frost & Sullivan.
“Personally, from speaking to my network of HR leaders, I think that global businesses have not taken this seriously,” she explained. “We’ll only see the real effects of GDPR when the first huge fine is issued and publicized. I found that external promotion was vast in the UK but not so in the rest of the European region – there was little to none in terms of global advertising.”
This lack of global awareness is concerning. Recently, Canadian firm AggregateIQ was hit with a GDPR notice by the UK’s communication’s watchdog. AIQ was hired by the Vote Leave party during the recent Brexit campaign, and has since been accused by the Information Commissioner's Office of using people's data for “purposes which they would have not
expected”. And, whilst this may be an isolated incident, it does prove that international organizations need to be fully briefed on the potential pitfalls of exploiting GDPR.
“As an international organization, Frost & Sullivan have had a massive transformation piece on our hands,” continued Arabella. “We’re a matrixed business, so we’ve had to map out processes that pertain to the handling of European data with colleagues across the globe, as typically our business units are international entities that collaborate on projects together.
“This data could be held on servers all over the world, so we’ve had to make sure we’ve got the right IT infrastructure to be able to track and manage where, what, how and for how long the data is stored.”
According to Arabella, GDPR could present a huge opportunity for HR and their data strategy. Organizations now have the opportunity to streamline their internal data, meaning less privacy breaches and security risks. The tricky part for international companies is playing catch up to their EU counterparts.
“I think it will take a while for some businesses to take GDPR seriously,” continued Arabella. “We’ll need to see a new headcount appear in companies that have usually relied on their legal, HR or finance departments for compliance and data protection.”
This is done through the appointment of a dedicated person (Data Protection Officer) who’ll help mitigate any risk and manage the process, education and financial implications of GDPR for their company. It’s HR’s role to collaborate with the other functions across the board and to help drive and lead the compliance initiative.
“Initially, directing the GPDR communication and learning piece for our organization was a key directive for the European HR team,” added Arabella. “Other people-led initiatives had to take a back seat. HR has to be at the forefront, creating and directing the polices that need to be complied with. It’s such a huge part of the HR function because people’s data is a huge part of our day to day life. We need to make sure that we are handling the information in the right way and adhering to local laws.”
International organizations should be able to justify why they’re keeping personal data and how they’re going to use it. One way of proactively weeding out any potential problems is to create a global data policy. This should include direction on how HR should act if data is breached, define all protection policies and – importantly – explain the responsibilities employees have when handling client data.